On February 18, California lawmakers proposed two bills that further extend the existing employee and business-to-business (B2B) data exemptions included in the California Consumer Privacy Act and the California Privacy Rights Act (CPRA). AB2891 would extend the exemptions expiration date until January 01, 2026, while AB2871 would permanently codify these exemptions.

These exemptions were included in the original version of the CCPA, and were set to expire on January 1, 2021, one year after the law’s effective date. On September 28, 2020, legislation was enacted to further extend these exemptions by one year. This initial extension was based in part on the perception that the COVID-19 pandemic had inhibited businesses’ CCPA compliance efforts. A further extension to January 1, 2023, was included in the CPRA, which passed as a ballot proposition on November 3, 2020.

The employee exemption applies to personal information collected by a business from an applicant or employee to the extent that such information is used solely in the employment context. The exemption also explicitly extends to emergency contact information, as well as information necessary for the administration of employment benefits. This exemption is limited in scope, however, as employers must still provide the CCPA “notice at collection,” detailing the categories of information that is to be collected and the purposes for which the information will be used. Furthermore, “personally identifiable information,” as defined by California’s data breach notification law, collected in the employment or B2B context is subject to the CCPA’s data breach provision relating to a private right of action.

Similarly, the B2B exemption holds that personal information collected in the context of due diligence or the provision/receipt of products or services to another organization is not covered by the CCPA.

Other Data Protection Laws

Under the General Data Protection Regulation (GDPR), personal information collected in the B2B and employee context is not exempted.

Similarly, the Virginia Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (CPA), both of which are set to become effective in 2023, exempt personal information collected in the B2B context. Notably, the VCDPA exempts the personal information of employees as well, however, the CPA does not. As such, if the CPRA goes into effect as written, the application of CPRA to B2B data would be novel for U.S. state privacy regimes.

Below is a chart that shows how the GDPR, VCDPA, and CPA treat B2B and employee data.

Takeaways

If neither AB2871 nor AB2891 go into effect, businesses will have to ensure that personal information collected in the employment and B2B context complies with the CPRA. Businesses should ensure their data maps account for this information, which may be a new exercise for many U.S. companies since other state laws do not apply in these contexts. The 2022 legislative session ends on August 31, and other proposed amendments to California’s privacy regime may be forthcoming. Troutman Pepper will continue to monitor this legislation and will provide further updates and insights leading up to the CPRA’s effective date.